wordpress绝对路径泄露+分析

来源:neeao blog
by:xy7 [B.C.T]

无意中改下就暴路径了,应该所有版本都有,测试了正式版和几个beta版,具体版本漏洞代码所在行数不同而已,又是数组和变量的老问题,相信很多地方都还存在。
问题出在搜索的参数,http://XXX.com/index.php?s= 改成 http://XXX.com/index.php?s[]=
Warning: rawurlencode() expects parameter 1 to be string, array given in /home/xxx/public_html/wp-includes/classes.php on line 227

问题很小,突然想起一件很有意义的事,就看了下代码,写个比较完整点的文档

看URL就知道变量s的问题,找sgeneral-template.php 878行:

function the_search_query() {
global $s;
echo wp_specialchars( stripslashes($s), 1 );
}

怎么过滤的,找函数wp_specialchars:
formatting.php 107行:

function wp_specialchars( $text, $quotes = 0 ) {
// Like htmlspecialchars except don't double-encode HTML entities
$text = str_replace('&&', '&&', $text);
$text = str_replace('&&', '&&', $text);
$text = preg_replace('/&(?:$|([^#])(?![a-z1-4]{1,8};))/', '&$1', $text);
$text = str_replace('<', '<', $text);
$text = str_replace('>', '>', $text);
if ( 'double' === $quotes ) {
$text = str_replace('"', '"', $text);
} elseif ( 'single' === $quotes ) {
$text = str_replace("'", ''', $text);
} elseif ( $quotes ) {
$text = str_replace('"', '"', $text);
$text = str_replace("'", ''', $text);
}
return $text;
}

过滤的很好但不是关键,看报错找rawurlencode()函数:
classes.php 222行:

function build_query_string() {
$this->query_string = '';
foreach (array_keys($this->query_vars) as $wpvar) {
if ( '' != $this->query_vars[$wpvar] ) {
$this->query_string .= (strlen($this->query_string) < 1) ? '' : '&';
$this->query_string .= $wpvar . '=' . rawurlencode($this->query_vars[$wpvar]);
}
}

$wpvar被传到rawurlencode函数里,导致函数出错,那$wpvar的值是什么呢?跟变量s有什么关系?往上看,第4行:

var $public_query_vars = array('m', 'p', 'posts', 'w', 'cat', 'withcomments', 'withoutcomments', 's', 'search', 'exact', 'sentence', 'debug', 'calendar', 'page', 'paged', 'more', 'tb', 'pb', 'author', 'order', 'orderby', 'year', 'monthnum', 'day', 'hour', 'minute', 'second', 'name', 'category_name', 'feed', 'author_name', 'static', 'pagename', 'page_id', 'error', 'comments_popup', 'attachment', 'attachment_id', 'subpost', 'subpost_id', 'preview', 'robots');

前面s已经global了,看到s被包含在数组中,接着找$wpvar,137行:

$this->public_query_vars = apply_filters('query_vars', $this->public_query_vars);

for ($i=0; $i<count($this->public_query_vars); $i += 1) {
$wpvar = $this->public_query_vars[$i];
if (isset($this->extra_query_vars[$wpvar]))
$this->query_vars[$wpvar] = $this->extra_query_vars[$wpvar];
elseif (isset($GLOBALS[$wpvar]))
$this->query_vars[$wpvar] = $GLOBALS[$wpvar];
elseif (!empty($_POST[$wpvar]))
$this->query_vars[$wpvar] = $_POST[$wpvar];
elseif (!empty($_GET[$wpvar]))
$this->query_vars[$wpvar] = $_GET[$wpvar];
elseif (!empty($perma_query_vars[$wpvar]))
$this->query_vars[$wpvar] = $perma_query_vars[$wpvar];
}

$wpvar这里获得了s的值,接着就把变量s带入函数rawurlencode里做转换,这里把变量s改为数组提交,漏洞就产生了,很清楚的看到报错提示:
Warning: rawurlencode() expects parameter 1 to be string, array given in….

over!

相关日志

楼被抢了 3 层了... 抢座Rss 2.0或者 Trackback

发表评论